verifyfirst
commented
3 years ago Although a low risk issue, it is valid and the suggested mitigation is correctly proposed.
Open code423n4 opened 3 years ago
verifyfirst
commented
3 years ago Although a low risk issue, it is valid and the suggested mitigation is correctly proposed.
ghoul-sol
commented
3 years ago Making this medium risk as no funds are lost.
Handle
shw
Vulnerability details
Impact
The
claimAllForMemberfunction ofDaois permissionless, allowing anyone to claim the unlocked bonded LP tokens for any member. However, claiming a member's LP tokens could decrease the member's weight in theBondVault, thus affecting the member's votes and rewards in theDaocontract.Proof of Concept
For example, an attacker can intentionally front-run a victim's
voteProposalcall to decrease the victim's vote weight to prevent the proposal from being finalized:BondVaultis 201, the total weight is 300. The victim has some LP tokens claimable from the vault, and if claimed, the victim's weight will be decreased to 101. To simplify the situation, assuming that the victim's weight in theDaoVaultand the total weight of theDaoVaultare both 0.voteProposal, the proposal will be finalized since the victim has the majority weight (201/300 > 66.6%).claimAllForMemberwith the victim as the parameter to intentionally decrease the victim's weight.Similarly, an attacker can front-run a victim's
harvestcall to intentionally decrease the victim's reward since the amount of reward is calculated based on the victim's current weight.Referenced code: Dao.sol#L179-L206 Dao.sol#L276-L285 Dao.sol#L369-L383 Dao.sol#L568-L574 Dao.sol#L577-L586 BondVault.sol#L104-L117 BondVault.sol#L120-L129 BondVault.sol#L155-L162
Recommended Mitigation Steps
Consider removing the
memberparameter in theclaimAllForMemberfunction and replace allmembertomsg.senderto allow only the user himself to claim unlocked bonded LP tokens.